Security at Olive

Effective Date: June 23, 2025
Last Updated: June 23, 2025

Olive is designed to protect your data and support your wellbeing. This document describes our security practices across infrastructure, access, data protection, AI safety, monitoring, and incident response.

Important: Olive is not a medical, clinical, or emergency service. If you or someone you know is in immediate danger, call your local emergency number. See our Crisis Resources for country-specific hotlines.

1) Scope and Principles

• Scope. This policy covers the Olive application, APIs, background services, and supporting infrastructure used to deliver the product.
• Security by design. We design features with privacy and security requirements from the start, including threat modeling and defense in depth.
• Least privilege. Access to systems and data is limited to the minimum necessary to do the job.
• Transparency. We disclose our security posture and practices to users and partners.
• Continuous improvement. We monitor, test, and update controls routinely.

2) Data Protection

• Encryption in transit. All traffic between clients and Olive services uses HTTPS/TLS.
• Encryption at rest. Data stored by Olive is encrypted at rest using industry-standard algorithms provided by our cloud providers.
• Key management. Encryption keys are managed using cloud-native key management services with strict access controls and rotation policies.
• Backups and recovery. We maintain encrypted, periodic backups and test recovery procedures to ensure business continuity.
• Data minimization. We collect only what is needed to provide the service (for example, name, email, role, content you choose to store).
• Data retention. Data is retained only as long as necessary to operate the service or as required by law. Users may request deletion within the app.
• Export. Users can export their data from within account controls.

3) Infrastructure and Operations

• Cloud hosting. Olive is hosted on hardened, professionally managed cloud infrastructure with physical and environmental safeguards.
• Network security. We use firewalls, security groups, private networking, and least-privileged service-to-service communication.
• Dependency hygiene. We regularly patch operating systems, containers, and third-party libraries; CI pipelines enforce vulnerability scanning.
• Secrets management. Credentials and API keys are stored in secure secret stores; secrets are never committed to source control.

4) Access Control and Identity

• Authentication. User authentication is handled by a reputable identity provider; sessions are protected using modern standards.
• Role-based access. Product features use roles (for example, Father, Partner, Child) with narrowly scoped permissions.
• Administrative access. Administrative consoles require MFA, SSO, device trust, and strong password policies.
• Audit trails. Sensitive administrative actions are logged and periodically reviewed.

5) Application Security

• Secure development lifecycle. Engineers follow secure coding guidelines, code review, dependency scanning, and automated tests.
• Input validation and output encoding. We validate and sanitize inputs to prevent injection vulnerabilities; we encode outputs appropriately.
• Rate limiting and abuse protection. We throttle traffic and requests to reduce brute force, scraping, and resource exhaustion risks.
• Content filtering. We filter harmful or disallowed content before it is stored or processed by downstream services.
• Third-party review. We engage independent security reviews and testing as the platform evolves.

6) AI Safety and Responsible Use

Olive uses large language model (LLM) technologies to provide supportive, empathetic responses. We put safety first:

• Not a clinician. AI responses are supportive only and are not medical, legal, or clinical advice.
• Guardrails and policies. The AI is configured with refusal and safety policies that block instructions for self-harm, harm to others, illegal activity, or explicit content.
• Self-harm and crisis detection.
  • We apply multiple signals to detect potential self-harm ideation or crisis language in user inputs (for example, content filters and classifiers).
  • When potential risk is detected, the AI avoids providing instructions, responds with supportive language, encourages seeking help from trusted people, and surfaces real-world resources.
  • For U.S. and international hotlines, we present resources aligned with the user’s region when available (see /shared/legal/crisis.md).
• Human-in-the-loop options. Users can choose to contact human support channels from within the app. Olive does not automatically contact third parties unless legally required or you explicitly request outreach.
• Jailbreak resistance. Prompts and system policies are tested against common jailbreak patterns; we maintain rate limits, prompt shielding, and response filters.
• Model and provider controls. We review LLM provider safety documentation and configure content filtering APIs where available. Providers may change over time; we publish an updated sub-processor list when applicable.
• Limited logging. We minimize storage of sensitive AI prompts and responses and segregate safety logs from user content where feasible, retaining only what is needed to operate and improve safety features.

7) Privacy and Compliance

• User rights. Subject to applicable law, users may request access, correction, deletion, or export of their data.
• Children and families. Olive is designed for father-child connections; for minors, parent/guardian setup and controls apply.
• Regional compliance. We align our practices with major privacy frameworks (for example, GDPR and CCPA) where applicable to our operations.
• Sub-processors. We use vetted vendors for authentication, storage, analytics, and AI. We require contractual security and confidentiality obligations and publish updates to our sub-processor list when it changes.

For details, see our Privacy Policy: /shared/legal/privacy.md.

8) Monitoring, Logging, and Detection

• Security monitoring. We collect security telemetry (for example, authentication events, admin actions, system anomalies) and alert on suspicious activity.
• Integrity checks. We use checksums and configuration monitoring to detect unexpected changes.
• Availability. We monitor uptime and critical service health with automated alerting.

9) Incident Response

• Runbooks. We maintain documented procedures for security incidents (triage, containment, eradication, recovery, and post-incident review).
• Notification. If a data breach affecting your personal information occurs, we will notify you and relevant authorities as required by law.
• Learning. We track root causes and implement improvements to prevent recurrence.

10) Responsible Disclosure

We welcome reports from researchers and users. If you believe you have found a security vulnerability:

• Email: security@olivefordads.com
• Include a clear description, steps to reproduce, and any relevant logs or screenshots.
• Do not access data that does not belong to you; avoid service disruption.
• We will acknowledge receipt, investigate, and keep you informed of our progress.

11) Limitations and Commitments

• No guarantee of detection. While we employ detection for crisis language and harmful content, no system can identify every case. Olive’s AI does not replace professional care.
• No emergency outreach. Olive does not automatically contact emergency services on your behalf. If you need urgent help, call your local emergency number immediately.
• Continuous updates. This document will evolve as our controls and services change. Significant updates will be posted in-app and on our website.

12) Contact

• General security questions: security@olivefordads.com
• Privacy requests: privacy@olivefordads.com
• Support: support@olivefordads.com

We are committed to protecting your data and supporting your wellbeing with safe, secure technology.